Secure biometric authentication using electronic identity

ABSTRACT

Embodiments of the invention are directed to a method. The method may comprise receiving a second biometric template of a user, and providing an authentication request message comprising an electronic identity and a derivative of the second biometric template of the user to a resource provider computer to conduct an interaction. The authentication request may be forwarded to a processing server computer by the resource provider computer, and the user device may receive an authentication response message comprising an authentication result from the processing server computer. The authentication result may be determined by the processing server computer based on a comparison of the derivative of the second biometric template to a derivative of a first biometric template accessible to the processing server computer. The authentication result may also be based on the validity of the electronic identity.

CROSS-REFERENCES TO RELATED APPLICATIONS

NONE.

BACKGROUND

In today's technological environment, it is typical for individuals tocarry around identification cards for proving their identity. Theidentification cards may be issued by a government agency or financialinstitution, which may assign an identification number or account numberto a user. An identification card may have an identification number, theuser's name, and possibly a photograph of the user printed, embossed,and/or stored on the card. When a user wants to prove his or heridentity, the user may present the card, and any credentials on the cardmay be verified to authenticate the user.

A number of issues may arise from the use of identification cards as ameans of identification. Firstly, users often have to carry aroundmultiple identification cards in order to receive a variety of goodand/or services. For example, a user may carry a driver's license,multiple credit/debit cards, a social security card, a medical insurancecard, etc. This may be inconvenient for the user, and may furtherincrease the chances of a user's identity being stolen. In addition, theuse of identification cards may be especially inconvenient whenpresenting credentials online, when users often need to scan or evenmanually enter their information. Secondly, the validity of anidentification card is often subject to human evaluation, which can beinconsistent and assumes that a person evaluating an identification cardis trustworthy. This may lead to further inconveniences for a user, suchas an employee that may steal a user's information, or an employee thatmay view an identification card as invalid due to a slight change in auser's appearance. Lastly, the human factor of identification is oftenlacking or unsatisfactory in its implementation when it comes toidentification cards. That is to say, that identification systems thatutilize cards often do not require biometric authentication, and thosethat do expect users to trust that their biometric data cannot be stolenand used in unwanted ways.

What is needed in the art, is a secure method for proving one'sidentity.

BRIEF SUMMARY

Embodiments of the invention are directed to a method. The method maycomprise receiving a second biometric template of a user, and providingan authentication request message comprising an electronic identity anda derivative of the second biometric template of the user to a resourceprovider computer to conduct an interaction. The authentication requestmay be forwarded to a processing server computer by the resourceprovider computer, and the user device may receive an authenticationresponse message comprising an authentication result from the processingserver computer. The authentication result may be determined by theprocessing server computer based on a comparison of the derivative ofthe second biometric template to a derivative of a first biometrictemplate accessible to the processing server computer. Theauthentication result may also be based on the validity of theelectronic identity.

The method may further comprise receiving the first biometric templateof the user, generating the derivative of the first biometric template,and generating an identity request message for an electronic identityfor the user. The identity request message may comprise the derivativeof the first biometric template and an account identifier of the user.In addition, the method may comprise sending the identity requestmessage to a verification server, wherein the verification serververifies the account identifier and generates the electronic identity.The electronic identity may be linked to the derivative of the firstbiometric template in a database by the processing server computer. Themethod may also comprise receiving an identity response messagecomprising the electronic identity, and storing the electronic identityin a memory of the user device for later use in an interaction.

Other embodiments of the invention are directed to systems, apparatuses,portable consumer devices, and computer readable media associated withmethods described herein.

A better understanding of the nature and advantages of the presentinvention may be gained with reference to the following detaileddescription and the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a block diagram of a system for implementing securebiometric authentication.

FIGS. 2A and 2B show a process flow diagram for implementing securebiometric authentication.

FIG. 3 shows a block diagram of a processing server computer forimplementing biometric authentication.

FIG. 4 shows a block diagram of a user device for implementing biometricauthentication.

TERMS

A “server computer” may include a powerful computer or cluster ofcomputers. For example, the server computer can be a large mainframe, aminicomputer cluster, or a group of servers functioning as a unit. Inone example, the server computer may be a database server coupled to aWeb server. A server computer may be coupled to a database and mayinclude any hardware, software, other logic, or combination of thepreceding for servicing the requests from one or more client computers.A server computer may comprise one or more computational apparatuses andmay use any of a variety of computing structures, arrangements, andcompilations for servicing the requests from one or more clientcomputers.

An “application program interface” or “API” may refer to softwarespecifying how components of a system should interact. The API maycomprise a set of routines, protocols, and tools on which softwareapplications may built. An API may be for a web-based system, operatingsystem, database system, computer hardware or software library, and mayinclude specifications for routines, data structures, object classes,variables and/or remote calls.

The term “gateway” may refer to hardware or software that allows for theinterfacing of network nodes using different protocols. The interfacecan include protocol converters, proxy servers, routers, firewalls, etc.A gateway may also be referred to as a “network gateway.” For example, acomputer that controls the traffic from an Internet Service Provider(ISP) may be a network gateway.

The term “authentication” may refer to the process of verifying theidentity of something (e.g., a user). One form of authentication can bebiometric authentication.

A “biometric” may be any human characteristic that is unique to anindividual. For example, a biometric may be a person's fingerprint,face, DNA, etc.

A “biometric reader” may refer to a device for capturing data from anindividual's biometric sample. Examples of biometric readers may includefingerprint readers, front-facing cameras, microphones, and irisscanners.

A “biometric sample” may refer to data obtained by a biometric reader.The data may be either an analog or digital representation of the user'sbiometric, generated prior to determining distinct features needed formatching. For example, a biometric sample of a user's face may be imagedata. In another example, a biometric sample of a user's voice may be anaudio file.

A “biometric template” may refer to a file containing distinctcharacteristics extracted from a biometric sample that may be usedduring a biometric authentication process. For example, a biometrictemplate may be a binary mathematical file representing the uniquefeatures of an individual's fingerprint, eye, hand or voice needed forperforming accurate authentication of the individual.

The term “zero-knowledge proof” or “zero-knowledge protocol” may referto a method of proving information is true without conveying the actualinformation itself. In a zero-knowledge protocol, secret information canbe verified without be revealed. More information regardingzero-knowledge proofs may be found at:

J. Camenisch and M. Stadler. Proof systems for general statements aboutdiscrete logarithms. Technical Report TR 260, Institute for TheoreticalComputer Science, ETH Zürich, March 1997. In some embodiments, thecomparison of derivatives of biometric templates to verify theauthenticity of a particular person may employ a zero-knowledgeprotocol.

The term “blockchain” can be a distributed database that maintains acontinuously-growing list of records secured from tampering andrevision. A blockchain may include a number of blocks of interactionrecords. Each block in the blockchain can contain also include atimestamp and a link to a previous block. For example, each block mayinclude or be appended to a hash of the previous block. Stateddifferently, interaction records in a blockchain may be stored as aseries of “blocks,” or permanent files that include a record of a numberof transactions occurring over a given period of time. Blocks may beappended to a blockchain by an appropriate node after it completes theblock and the block is validated. In embodiments of the invention, ablockchain may be distributed, and a copy of the blockchain may bemaintained at each node in a verification network. Any node within theverification network may subsequently use the blockchain to verifytransactions. The security of a blockchain may be obtained using acryptographic scheme.

A “digital signature” may refer to data used to provide assurance orevidence as to the origin and identity of an electronic record ormessage. Digital signatures can be based on public key cryptography(i.e. asymmetric cryptography). Digital signatures may be generatedusing a public key algorithm such as RSA. To create a digital signature,signing software may be used to create a one-way hash of electronic datathat is to be signed by a signing entity. A private key of the signingentity is then used to encrypt the hash and form the digital signature.

The term “validation” may refer to the act of checking or affirming thatinformation is legitimate. An example may be the act of checking that adigital signature appended to an electronic record is, in fact,legitimate and of the signing entity. Digital signatures may bevalidated according to a verification algorithm in conjunction with asigning entity's public key.

An “electronic identity” or “eID” may refer to a unique string ofcharacters or symbols used to identify an individual. In preferredembodiments, the electronic identity may be mathematically derived frominformation associated with a user. For example, in some embodiments, anelectronic identity may be a value calculated by hashing one or moreinput values (customer name, country code, etc.) available to multipleentities. In this way, the electronic identity may be independentlygenerated by any entity that has the prerequisite information. Anelectronic identity may be altered (e.g., hashed and/or encrypted)information associated with a user. For example, in some embodiments, anelectronic identity may be derived from a combination of a country code,customer name, date of birth, and last four digits of a social securitynumber such as SHA256(USA*JOHN SMITH*19700101*1234). Hashing this valuemay result in a seemingly random string of characters, such as754WD2E2513BF546050C2D079FF5D65AB6E318E and this can be an electronicidentity. In some embodiments, the electronic identity is associatedwith a passphrase that is provided in order to access any interactionrecord associated with the electronic identity. An electronic identitymay sometimes be referred to as an “eID,” electronic identifier, orelectronic identification data.

An “account identifier” may refer to a sequence of numbers and/orletters for identifying an account. The account can be a bank account,credit card account, government benefit account, health insuranceaccount, etc. One example of an account identifier may be a primaryaccount number (PAN), which may be a 16-digit number used to identifythat a user may use to conduct transactions.

A “know your customer” or “KYC” process may refer to the process of abusiness identifying and verifying the identity of its clients. The termis also used to refer to the bank and anti-money laundering regulationswhich govern these activities. A KYC process may be used to verifyinformation of a user and generate an electronic identity for the user.

DETAILED DESCRIPTION

Embodiments provide systems, apparatus, and methods for implementingsecure biometric authentication. A biometric may be any humancharacteristic that is unique to an individual. For example, a biometricmay be a person's fingerprint, face, DNA, etc. Biometric authenticationmay be used to identify individuals in a manner that is more convenientand efficient than typical identification methods. It may be used toidentify individuals in a variety of scenarios such as logging into anetwork, accessing a building, or conducting a transaction. Becausebiometric authentication uses human characteristics rather than accountinformation or identification cards, users of biometric authenticationdo not need to worry about remembering usernames and passwords orkeeping track of ID cards.

A problem associated with implementing biometric authentication systemsis privacy and security. Users often distrust biometric authenticationfor fear of their biometric data might be stolen or misused. Inaddition, entities that need to verify a user's identity (e.g. for thepurpose of authorizing a transaction) also have a stake in the accuracyof authentication, and may wish to limit the proliferation of identitytheft and fake identity creation.

Embodiments of the invention described herein address these issues bypassing a user's biometric template through a derivation formula, andlinking the derived biometric template to an electronic identity that isvalidated by trusted parties. The electronic identity may be validatedagainst records stored in a blockchain and according to a digitalsignature algorithm. In this manner, a user's biometric data remainsconfidential and goes through multiple validation checks, thuspreventing abuse of the authentication system by a fraudulentindividual. Embodiments combine blockchain technology with otherbiometric authentication techniques to provide a secure authenticationsystem available through an application on a user's mobile device. Thus,embodiments of the invention described herein are more secure, moreefficient, and more convenient than other identification methods.

FIG. 1 shows a block diagram of a system for implementing securebiometric authentication. System 100 may comprise processing servercomputer 150 for processing authentication requests in secure biometricauthentication. Processing server computer 150 may connect to aplurality of servers, computers, and devices across a number ofprotocols through a network gateway, such as gateway 130. System 100 mayalso comprise mobile device 110, which may comprise authenticationapplication 112. Authentication application 112 may be an applicationstored on mobile device 110 that comprises instructions for implementingbiometric authentication. This may include instructions forcommunicating with verification server 140, processing server computer150, and resource provider computer 120. Authentication application 112may further comprise instructions for requesting an electronic identity,which may be provided by verification server 140 through identityrequest API 142.

According to embodiments, a computer of a resource provider, such asresource provider computer 120, may comprise authentication API 122 forauthenticating a user of mobile device 110. Resource provider computer120 may authenticate the user by receiving user data from mobile device110, which may be forwarded to processing server computer 150 to receivean authentication result. The processing server computer 150 maydetermine the authentication result through communications withauthentication server 160, and based on data stored in authenticationdata database 160B and in public blockchain 170C.

Mobile device 110 may be any mobile device for communicating and storinguser data of a user. For example, mobile device 110 may be a smartphone, smart wearable device (e.g. smart watch or eyewear), or any otherportable communications device owned by the user. Mobile device 110 maystore and communicate user data by way of one or more applications suchas authentication application 112. The user data may include a user'selectronic identity and a derivative of the user's biometric template.In one embodiment, mobile device 110 may also comprise a resourceprovider application for connecting to resource provider computer 120.For example, mobile device 110 may comprise a merchant application,which a user may access to connect to a merchant server computer andmake purchases online. Elements of mobile device 110 can be further seenin FIG. 4, further described below.

Authentication application 112 may comprise instructions for receivinguser data from a user, storing user data in a memory of mobile device110, and sending user data over a communication interface such as awireless interface (e.g. WiFI, Bluetooth, near-field communications,RFID, etc.). For example, authentication application 112 may be a mobilepayments application that a user may access in order to present his orher credentials when making a purchase. In one embodiment,authentication application 112 may comprise instructions for generatinga biometric template from biometric sample data. The biometric templatemay be data comprising features of a biometric sample required foraccurate matching. The biometric template may comprise minutiaeinformation such as position, type, and angle and/or may comprisepattern information (ridge structure) as described in ISO/IEC JTC 1/SC37. For example, the biometric template may comprise features of auser's fingerprint data that consistently appear in biometric sampledata. This may include features that may be detected no matter where auser's finger is positioned on the fingerprint reader when a sample istaken, such as the relative position that lines (i.e. contours) thatmake up the user's fingerprint are to one another. In another example, auser may present his or her biometric sample multiple times, and astatistical model may be used to generate a biometric template thatcaptures the top features that have the greatest probability ofappearing in a next biometric sample taken from the user. In oneembodiment, mobile device 110 or authentication application 112 storedon mobile device may comprise a biometric template generation algorithm,from which identical biometric templates are generated each time a usercaptures a sample from a specific biometric (e.g. each time he or shepresents the same finger, iris, etc.).

Authentication application 112 may further comprise instructions forcreating a derivative of a biometric template. For example,authentication application 112 may comprise instructions for passing thebiometric template through an algorithm that mathematically alters itsdata values or removes certain data values to form a derivative of thebiometric template. For example, in some embodiments, biometric templatemay include a string of data, while the derivative of the biometrictemplate may remove or convert some of the data in the string of data atpredetermined locations. The derivative of the biometric template mayrelate to the biometric template, but may not be the entire biometrictemplate. In one embodiment, the algorithm for altering data values maybe a one way function in which it is computationally difficult toreverse the operation performed, thus making it nearly impossible toobtain the original template. For example, in one embodiment, biometrictemplate data may be expressed as a string, in which unique andconsistent features of the users biometric having a high probability ofappearance in a captured sample are converted into a unique sequence ofcharacters. To derive the biometric template, the string including theunique sequence of characters may be passed through a hashing algorithmto generate a unique hash. In another embodiment, the biometric templatemay be split into multiple parts and the multiple parts each may bepassed through the one way function and collected together to form thederivative. For example, a string of characters representing a user'sfingerprint template may be divided into 20 strings of equal length,which may each be hashed and the resulting hashes may be appendedtogether to form a derivative.

Resource provider computer 120 may be a computer used to provideresources to a user. In embodiments, the resource may be provided to theuser upon authentication of the user's credentials (e.g. userbiometric). For example, resource provider computer 120 may be acomputer that controls entrance/exit into a building or terminal. Inanother example, resource provider computer 120 may be a server computerof a merchant, that may be used to authorize access to goods orservices. In one embodiment, the server computer of the merchant may beaccessed from mobile device 110 using a resource provider application.In yet another example, resource provider computer 120 may be a computerof a government agency, that may be used to confirm an individual'sidentity (e.g. for the purpose of authorizing access to social securitybenefits). Resource provider computer 120 may be any computing devicefor performing computer functions according to embodiments of theinvention, such as a personal computer, laptop, tablet, point-of-saleterminal, smart phone, smart wearable device, etc.

Resource provider computer 120 may comprise authentication API 122 forauthenticating a user in an interaction (e.g. during a transaction,login attempt, security checkpoint, etc.). Authentication API maycomprise instructions for communicating with processing server computer150 through gateway 130. Authentication API may further compriseinstructions for receiving user data in an interaction with the user,and for sending user data to processing server computer 150 to receivean authentication result. In one embodiment, authentication API 122 maycomprise software that is provided by an entity of processing servercomputer 150. Authentication API 122 may comprise instructions forreceiving the user data in an authentication request message, which maycomprise a derived biometric template of a user and an electronicidentity, and may further comprise instructions for forwarding theauthentication request message to processing server computer 150 toreceive the authentication result. The authentication result mayindicate if a user's credentials (i.e. biometric) are legitimate, andmay be based on the verification and validation of data received in theauthentication request message.

In embodiments, messages between devices during authentication may passthrough gateway 130. Gateway 130 may be a network node for interfacingtwo networks operating using different protocols. The network node maybe a physical node provided by hardware or may be a virtual nodeprovided by software. For example, gateway 130 may be software thatallows a mobile device or computer to connect, via the internet, to anentity's network, such as that of a bank or payment processing network.In one embodiment, gateway 130 may allow a device comprisingauthentication application 112 or authentication API 122 to communicatewith verification server 140 and/or processing server computer 150.

Verification server 140 may be a server for verifying a user'sinformation to generate an electronic identity for the user. Forexample, verification server 140 may be a server of a financialinstitution that may verify a user's bank account information and/orfinancial documents. In another example, verification server 140 may bea server of a government institution that may verify governmentdocuments presented by a user, such as the user's passport, socialsecurity number, birth certificate, driver's license, etc. Verificationserver 140 may generate an electronic identity for a user by way ofidentity request API 142, which may comprise instructions for receivingidentity request messages from a user device. In embodiments,verification server 140 may be any server of an entity possessing themeans to verify a user's identity so that the user may be enrolled in abiometric authentication program.

According to embodiments, processing server computer 150 may be a servercomputer for processing data in a network. The network may be, forexample, a payment processing network, such as VisaNet. Processingserver computer 150 may comprise means for determining an authenticationresult based on user data, such as a user's electronic identity,biometric, or derivatives thereof. In embodiments, processing servercomputer 150 may determine the authentication result by comparing datain an authentication request message to data stored in authenticationdata database 160B and in public blockchain 170C. Processing servercomputer 150 may authenticate a user by comparing a derivative of afirst biometric template of a user to a derivative of a second biometrictemplate of the user. Processing server computer 150 may furtherauthenticate a user by identifying records in a blockchain relating tothe electronic identity of the user, and validating digital signaturesappended to said records. Elements of processing server computer 150 mayfurther be seen in FIG. 3, further described below.

Authentication server 160 may be a server for authenticating usercredentials. In embodiments, the user credentials may include aderivative of a user's biometric template, which may be compared to datastored in authentication data database 160B to authenticate the user. Inone embodiment, authentication server 160 may receive, from processingserver computer 150, a request for a derivative of a biometric templateof a user to be authenticated in an interaction. The request maycomprise an identifier for a derivative of a first biometric template ofthe user registered during enrollment. The derivative of the firstbiometric template may be retrieved from authentication data database160B, and sent to processing server computer 150 for comparison againsta derivative of a second biometric template of the user duringauthentication.

In another embodiment, authentication server 160 may compare thederivative of the first and second biometric templates duringauthentication. For example, during a request to access a building,processing server computer 150 may forward an authentication requestmessage comprising a derivative of a user's iris data. The derivativemay be user iris data that has been passed through an algorithm in orderto prevent the user's iris data from being transmitted in the clear.Authentication server 160 may receive the derivative in theauthentication request message and may query authentication datadatabase 160 for a matching derivative of the user's iris data.Authentication server 160 may determine if a match exists, and send theresult to processing server computer. Depending on the match results,the user may be authenticated for access to the building. In yet anotherembodiment, authentication server 160 and processing server computer 150may be the same server or may be of the same entity.

In addition to the comparison of data relating to biometrics,authentication of a user in system 100 may also comprise validatingrecords of a distributed database. Specifically, the distributeddatabase may be a blockchain, such as public blockchain 170C. Publicblockchain 170C may be a public ledger of immutable blocks. Eachimmutable block in public blockchain 170C may reference a previousblock, such that the blocks are linked in a chain. Copies of the publicblockchain 170C may be distributed to multiple nodes in a network.According to embodiments, public blockchain 170 may comprise signedrecords for validating an electronic identity of a user. The signedrecords may be validated by trusted nodes. For example, publicblockchain may comprise data blocks that may be verified by trustedserver computers, capable of verifying digital signatures in a publickey encryption scheme. The digital signatures may be digital signaturesof banks or government institutions that may have facilitated thecreation of an electronic identity for the user.

Flows 1 through 24 show the flow of data in implementing a biometricauthentication process carried out by system 100. This may include bothenrollment and execution of a biometric authentication program. A usermay first enroll into a biometric authentication from his or her mobiledevice. Enrollment may involve verifying the user's identity atverification server 140 (flows 1 through 3), which may then generate anelectronic identity for the user. The electronic identity may then besent to processing server computer 150 (flows 4 through 6) so that theidentity may be linked to user authentication data (e.g. a derivative ofthe user's biometric template). The authentication data may be stored inauthentication data database 160B (flows 7 through 9), and a record ofthe electronic identity and authentication data being linked may bewritten into public blockchain 170C (flows 10 through 11). Theelectronic identity may then be sent to the user's mobile device 110 forlater use in an interaction (flows 12 through 13). When a user wants toprove his or her identity (e.g. during a transaction) the user may sendhis or her authentication data from mobile device 110 to resourceprovider computer 120 (flow 14). The resource provider computer may thensend the user's data to processing server computer 150 (flow 16), andthe processing server computer may compare the data against data inauthentication data database 160B (flows 17 through 19) and againstrecords published to public blockchain 170C (flows 20 through 21) todetermine an authentication result. The authentication result may thenbe sent to the resource provider computer 120 and mobile device 110, sothat the user and resource provider can be informed as to whether or notthe user's identity has been successfully authenticated (flows 22through 24).

More detail about the processing steps that occur during the flow shownin FIG. 1 are explained in the description of FIG. 2A and FIG. 2Bfurther below. Flows 1 to 3 may correspond to steps S201 through S206 ofFIG. 2A. Flows 3 to 6 may correspond to steps S207 through S210. Flows 6to 9 may correspond to steps S211 through S212. Flows 9 to 11 maycorrespond to step S213. Flows 11 through 13 may correspond to stepsS214 through S215. Flows 14 to 16 may correspond to steps S216 throughS221. Flow 16 may correspond to step S222. Flows 16 to 19 may correspondto steps S223 through S225. Flows 19 to 22 may correspond to steps S226through S228. And flows 22 through 24 may correspond to step S229.

FIGS. 2A and 2B show a process flow diagram for implementing securebiometric authentication. Specifically, steps S201 through S229 describea process for enrolling and using an electronic identity in conjunctionwith biometric authentication software stored on a user device.According to embodiments, steps S201 through S229 may be performed bythe system components of system 100 in FIG. 1.

At step S201, a user of a mobile device may initiate enrollment into abiometric authentication program. In one embodiment, this may be doneusing an authentication application stored on the user's mobile device.The authentication application may be an application that may beinstalled onto a user's mobile device. The authentication applicationmay further store application data in memory, which may include data forgenerating a biometric template, data for a derivation formula, and datafor an electronic identity of a user. To initiate enrollment, a user mayopen/load the authentication application from his or her mobile deviceand the authentication application may prompt the user to select anoption to enroll into a biometric authentication program (e.g. byselecting the option using an input element of the mobile device).

At step S202, upon initiation of enrollment, the user may provide his orher biometric sample to the mobile device so that a biometric templateof the user may be created. The authentication application may promptthe user to provide his or her biometric sample, which may be used togenerate a template containing distinct features of the individual'sbiometric. Examples of biometric samples may include a sample of auser's fingerprint, a current picture of the user, or a sample of theuser's voice. Other examples may include the user's iris, the user'spalm, or any other distinguishing feature of the individual. A biometricsample may be read using a biometric reader, which can include afingerprint reader, front-facing camera, microphone, etc. When abiometric sample is taken from the user, distinctive features of thesample may be represented in digital form as a biometric template. Forexample, a data file may be created from the capture of electromagneticsignals generated by a biometric reader during sample reading, in whichthe signals may be binned into discrete bits according to a pre-definedresolution (i.e. as expressed by the number of pixels in an image or bythe sample rate of an audio file). Software stored on the mobile devicemay then be used to identify features of the data file that are neededto accurately authenticate the user. For example, the user may be askedto present his or her biometric multiple times, and a mathematical modelmay be used to determine features that consistently appear. The featuresmay be represented as a binary digital file, which may form thebiometric template.

At step S203, the authentication application stored on the mobile devicemay generate a derivative of the biometric template of the user. Thederivative may be a representation of the biometric template in whichthe data has been altered, so as to conceal the original feature data ofan original biometric template. For example, a binary file representingcharacteristic features of a user's fingerprint may be passed through amathematical function that alters each data value in a seemingly randommanner. In another embodiment, data values at predetermined locations ofa data string representing a biometric template may be removed soobscure the original biometric template. In one embodiment, themathematical function may be a one-way function based on azero-knowledge protocol, such as a one-way hashing function. Forexample, the authentication application may comprise code forrecognizing features of a user's fingerprint sample that have a highprobability of being captured and identical each time a sample is taken,and may express the features as a unique string of characters that canbe identical each time the string of characters is formed. The stringmay then be passed through a hashing algorithm (e.g. SHA256( )), togenerate a unique hash. The unique hash may be used as a derivative ofthe biometric template that cannot be reproduced from any biometricother than the user's. In another embodiment, the biometric template maybe split into multiple parts and the multiple parts each may be passedthrough the one way function and collected together to form thederivative. For example, a string of characters representing a user'sfingerprint template may be divided into 20 strings of equal length,which may each be hashed and the resulting hashes may be appendedtogether to form a derivative. During matching, a derivative may beverified if the consistent features of the user's biometric are capturedby a reader and the resulting biometric template or parts of thebiometric template match expected results after being passed through theone-way function. According to embodiments, the derivative cannot bereversed engineered to obtain the consistent features of the user'sbiometric sample.

In one embodiment, a derivative may be generated by tokenizing abiometric template and transporting the derivative through azero-knowledge security layer. The zero-knowledge security layer may bean additional blockchain layer that uses a zero-knowledge proof toshield the source and anonymize the contents of data published to theblockchain. For example, a biometric template may be derived bygenerating a token, in which the token is committed to specificconditions such as a specific time of use and/or specific receivingaddress in order to be valid. The token may be, for example, a string ofcharacters that can be verified using a zero-knowledge proof, and thatcan only be used for its committed purpose and if a hidden and randomnumber, r, is known. The token may then be used as a record in place ofthe template data, such that the derivatives may be anonymized.

More information regarding zero-knowledge security layers may be foundat:Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, IanMiers, Eran Tromer, Madars Virza, “Zerocash: Decentralized AnonymousPayments from Bitcoin”, Security and Privacy (SP) 2014 IEEE Symposiumon, pp. 459-474, 2014, ISSN 1081-6011.

At step S204, the mobile device may retrieve an account identifier ofthe user. The account identifier may be an identifier for an accountissued to the user, such as a bank account or social security account.In other examples, the account identifier may be a primary accountnumber (PAN), driver's license number, passport ID number, username andpassword, etc. The account identifier may be entered into the mobiledevice by the user or may be retrieved from a memory of the mobiledevice, such as from a secure element of the device or from applicationdata. In other embodiments, the account identifier may be retrieved froma cloud-based server, or may be provided through another application onthe mobile device, such as a digital wallet application.

At step S205, the mobile device may generate an identity requestmessage. The identity request message may comprise the derivative of thebiometric template of the user and the account identifier. The identityrequest message may be generated after the biometric template of theuser has been derived and after the account identifier has beenretrieved. In one embodiment, the message may be sent upon indication bythe user. For example, the authentication application may compriseinstructions for displaying a selectable option to the user, which whenselected may result in the generation and sending of the identityrequest message. In some embodiments, the identity request message maycomprise additional information of the user such as his or her name,address, date of birth, etc.

At step S206, the identity request message may be sent from the mobiledevice to a verification server. The verification server may be a serverof a verification entity, such as a government agency or bank. Theidentity request message may be sent from the mobile device to theverification server by way of a network gateway, such as gateway 130 ofFIG. 1. For example, the gateway may be a network node capable ofreceiving the identity request message over the Internet and forwardingthe message to a bank's server. The verification server may be able toreceive and send messages over the network gateway via an API, such asidentity request API 142 of FIG. 1.

At step S207, the verification server may verify the account identifierof the user. According to embodiments, the verification server mayreceive the identity request message and may identify data fields forthe account identifier and derivative of the biometric template. Theverification server may then compare the account identifier to anaccount identifier stored in an account database, and may verify thevalidity of the account identifier and any additional user information.For example, a bank server may receive a bank account number and auser's name in the identity request message and may verify that the bankaccount number exists, is under the user's name, and is in goodstanding. In one embodiment, the verification server may further performother checks on the user such as credit inquiries, criminal backgroundchecks, etc., which may affect whether or not the user is verified intothe authentication program. In one embodiment, the user's informationmay be verified according to a “know your customer” or KYC process.

At step S208, the verification server may generate an electronicidentity for the user if the account identifier has been verified. Inone embodiment, the electronic identity, or eID, may be mathematicallyderived from information associated with the user. The electronicidentity may be a value calculated by hashing one or more input values.For example, the electronic identity may be derived from a combinationof a country code, customer name, date of birth, and last four digits ofa social security number of a user, such as SHA256(USA*JOHNSMITH*19700101*1234). Hashing this value may result in a seeminglyrandom string of characters, such as754WD2E2513BF546050C2D079FF5D65AB6E318E, and this can be an electronicidentity, or eID, for the user.

At step S209, the verification server may generate a record for theelectronic identity and derivative of the first biometric template beinglinked or associated with one another, and may sign the record using itsprivate key. According to embodiments, the record may serve as acertificate of enrollment into the biometric authentication program. Therecord may comprise hashes of the electronic identity and the derivativeof the biometric template of the user. For example, the record maycomprise a hash that is the result of concatenating strings for theelectronic identity and derivative and inputting the concatenated stringinto SHA256( ). The record may also comprise time information relatingto the time at which the verification verified the user's information.The record may then be signed by the verification server according to adigital signature algorithm. For example, a Federal InformationProcessing Standard Digital Signature Algorithm (DSA) may be used inconjunction with a bank's private key to generate a verifiable digitalsignature that may be appended to a hash record. In one embodiment, therecord may be identified by a record identifier, such as a transactionID. According to embodiments, by providing a record of the electronicidentity and derivative being linked that is signed by the verificationserver, criminal actors may be prevented from enrolling fake or stolenidentities into the authentication system.

At step S210, the verification server may insert the signed record intothe identity request message, and may then forward the identity requestmessage to a processing server computer for processing. The processingserver computer may be processing server computer 150 of FIG. 1. In oneembodiment, an allocated data field may be used to store the signedrecord in the message, so that it may be received and read by theprocessing server computer. The verification server may send theidentity request message to the processing server computer usinginstructions stored in an identity request API, and by way of a networkgateway.

At step S211, the processing server computer may receive the identityrequest message, and may link the electronic identity and derivative ofthe biometric template in a database. In one embodiment, the processingserver computer may read allocated data fields for the electronicidentity (eID) and for the derivative of the biometric template, and maythen store the eID or copy of the eID along with an identifier for thederivative of the biometric template in a database where they may belinked. For example, the electronic identity,‘754WD2E2513BF546050C2D079FF5D65AB6E318E’ and the derivative ID,‘derivative #129578190’ may be linked together in a row of a relationaldatabase or of a mapping table.

At step S212, the processing server computer may submit the derivativeof the biometric template to an authentication server for storage.According to embodiments, the derivative of the biometric template maybe stored in the authentication data database, where it may be lateraccessed and retrieved during authentication of a user. Theauthentication server may be authentication server 160 and theauthentication data database may be authentication data database 160B ofFIG. 1. In one embodiment, the processing server computer andauthentication server may be the same server or of the same entity. Inone embodiment, the processing server computer may also attach anidentifier for the derivative, which the authentication server mayreceive and link to the derivative in the authentication data database.The identifier may be used as a reference at a later point in time whenquerying for the derivative.

At step S213, the processing server computer may sign the recordgenerated by the verification server and may then publish the record toa public blockchain. The blockchain may be public blockchain 170C ofFIG. 1. The record may be signed using the processing server computer'sprivate key, and according to a digital signature algorithm. Theprocessing server computer may append its digital signature to therecord, and may then initiate the writing of the record into a datablock and the publishing of the data block to a blockchain. The datablock may later be read during authentication of a user in aninteraction, such that the validity of the user's electronic identityand its certification into the biometric authentication program may beverified.

At step S214, the processing server computer may send the electronicidentity to the mobile device. The processing server computer maygenerate an identity response message comprising the electronicidentity, which it may send to the mobile device over a network such asthe internet (e.g. via the network gateway). The identity responsemessage may also comprise data indicating the successful enrollment forthe user into the biometric authentication program, such as data for aconfirmation message.

At step S215, the mobile device may receive the identity responsemessage and may store the electronic identity in memory. The memory beapplication memory of the authentication application or may be a secureelement of the mobile device. In one embodiment, the memory may be acloud-based memory which may allow the mobile device to access theelectronic identity from servers across a network. Once the enrollmentand provisioning process has been completed, the user may later use hisor her mobile device to prove his or her identity in an interaction.

At step S216, the user may present the mobile device in an interactionwith a resource provider computer. For example, the user may interactwith an access device using a communications interface of the mobiledevice, such as through Bluetooth or near-field communications. In oneembodiment, the user may interact with the resource provider through aresource provider application stored on the user's mobile device. Theresource provider application may allow for the exchange of data betweenthe mobile device and the resource provider's server computers such thatthe user may be authenticated and granted resources, such as merchandiseor requested services. The resource provider computer may be resourceprovider computer 120 of FIG. 1.

At step S217, the user may provide a second biometric sample to themobile device. The biometric sample may be of the same biometric usedduring enrollment into the authentication program, taken at step S202.For example, if the user used an image of his or her face as a biometricduring enrollment, the user may then take a current picture of his orherself during the interaction with the resource provider. In anotherexample, if the user took a sample of his or her right index fingerduring enrollment, the user may then use the mobile device to take asample of his or her right index finger during the interaction. Themobile device may take the biometric sample of the user and generate asecond biometric template.

At step S218, the authentication application stored on the mobile devicemay generate a derivative of the second biometric template of the user.The derivative of the second biometric template may be generated in thesame manner as the derivative of the first biometric template generatedat step S203. This may be done such that matching samples should resultin matching derivatives within a predetermined threshold.

At step S219, the mobile device may retrieve the electronic identityfrom memory. The memory may be the memory in which the electronicidentity was stored in at step S215. In one embodiment, access to theelectronic identity may be protected using a passphrase or username andpassword. For example, the electronic identity may be stored in a securememory, in which access can only be granted to an application if theuser enters his or her pin.

At step S220, the authentication application may append the electronicidentity (eID) to the derivative of the second biometric template of theuser. In one embodiment, the electronic identity and the derivative ofthe second biometric template may both be represented as a string ofcharacters of predefined length. For example, the electronic identitymay be a hash of 30 letters and numbers, and the derivative of thesecond biometric template may be a string of 100 characters representingmathematically derived feature data of a user's biometric sample. Theappended eID and derivative may then be a string of 130 characters inlength.

At step S221, the mobile device may generate an authentication requestmessage comprising the appended electronic identity and derivative, andmay send the authentication request message to the resource providercomputer. The resource provider computer may then forward theauthentication request message to a processing server computer, using anauthentication API. The authentication API may be authentication API 122of FIG. 1. At step S222, the processing server computer may receive theauthentication request message.

At step S223, the processing server computer may decouple the electronicidentity from the derivative of the second biometric template. In oneembodiment, this may be done by determining the length of the electronicidentity and the length of the derivative of the second biometrictemplate, and then splitting the appended electronic identity andderivative into two separate data elements based on the length. Forexample, the processing server computer may determine that theelectronic identity should be a string of 30 characters and that thederivative of the second biometric template should be a string of 100characters. When the processing server computer receives a 130 characterstring in an authentication request message, it may declare a variablefor the electronic identity to which it allocates the first 30characters of the string, and may declare a variable for the derivativeof the second biometric template to which it allocates the remaining 100characters. In other embodiments, one or more designated characters mayseparate the electronic identity data and the derivative of the secondbiometric template. In yet other embodiments, these two pieces of datamay be provided in known data fields.

At step S224, the processing server computer may determine from records,a derivative of a first biometric template linked to the electronicidentity. This may be the derivative linked to the electronic identityat step S211. The record may be in the form of a mapping table orrelational database, which the processing server computer may query forthe electronic identity (eID) and identity derivatives and other datalinked to the queried electronic identity. For example, the eID may belinked in a row of a relational database to an identifier for aderivative of a first biometric template of a user and to otheradditional information of the user such as name, address, etc. Theidentified derivative may be retrieved, by the processing servercomputer, from an authentication data database by sending a request toan authentication server. For example, the processing server computermay send a request comprising an identifier for the derivative of thefirst biometric template of the user (e.g. ‘derivative #129578190’). Theidentifier may be used by the authentication server to query for thederivative, which the authentication server may submit to the processingserver computer for comparison to the derivative of the second biometrictemplate of the user.

At step S225, the processing server computer may compare the derivativeof the second biometric template with the derivative of the firstbiometric template for a match. In one embodiment, this may be done, bycomparing each data element of the derivative of the second biometrictemplate to a corresponding data element of the derivative of the firstbiometric template. In some embodiments, two derivatives may beconsidered a match if less than a predetermined number of data elementsdiffer. For example, the derivatives may be expressed as a string ofequal length, and the processing server computer may compare eachcorresponding character (first, second, third, etc.) from each string toone another, and may determine a match if less than 10 charactersdiffer. In other embodiments, two derivatives are a match if there is anexact match (e.g., as with two hashes of identical data derived frombiometric samples obtained at different times).

Meanwhile, at step S226, the processing server computer may search for arecord on the public blockchain relating to the electronic identity andfirst biometric template. The processing server computer may search theblockchain for a data block that comprises the electronic identity. Inone embodiment, this may be done by scanning the blockchain for a datablock comprising the record identifier generated at step S209. Forexample, the processing server computer may be coupled to a relationaldatabase, in which electronic identities are linked to entries for atransaction ID and transaction timestamp relating to the time at whichan electronic identity was used to enroll a user into the biometricauthentication program. The processing server computer may then searchthe blockchain for a record that comprises the transaction ID andtransaction timestamp. In one embodiment, the record may comprise hashesof the electronic identity and of the derivative of the first biometrictemplate, and the processing server computer may verify that the hashesof the electronic identity and of the derivative of the first biometrictemplate match expected results. For example, the processing servercomputer may concatenate strings for the electronic identity and for thederivative and input the concatenated string into SHA256( ). Theprocessing server computer may then determine if the resulting outputmatches a corresponding record identified on the blockchain. Inembodiments, this type of verification may be seen as a first validationcheck.

At step S227, the processing server computer may validate the record byverifying one or more digital signatures appended to the record. In oneembodiment, a digital signature may be verified by inputting the digitalsignature and the public key of the alleged signing entity into averification algorithm and determining if the output matches expectedresults. At step S228, the processing server computer may determine anauthentication result based at least upon the comparison of thederivatives and the validity of the electronic identity. According toembodiments, the authentication result may be considered positive (i.e.authentic user), if both of the derivatives of the biometric templatesmatch and if the digital signatures appended to the record of the eIDand derivative being linked (i.e. certificate of enrollment) arevalidated.

At step S229, the processing server computer may send the authenticationresult to the mobile device in an authentication response message. Theauthentication result may first be sent to the resource providercomputer and then forwarded to the mobile device. If the authenticationresult is positive, then the resource provider computer may consider theuser's credentials authentic and may grant access to a requestedresource. For example, the resource provider computer may be a computerthat unlocks the door of a building, and a positive authenticationresult may initiate actuators to disable the door's locking mechanism.

According to embodiments of the invention, the process described byFIGS. 2A and 2B may allow a user to prove his or her identity usingsecure biometric authentication. The biometric may be a fingerprint,image of the user's face, recording of the user's voice, etc. asprovided by a biometric reader of the user's mobile device. A derivedtemplate of the user's biometrics may be first registered duringenrollment and linked to an electronic identity unique to the user. Thegeneration of the electronic identity and its association with thederivative of the biometric template may be represented as a recordpublished on a public blockchain. The record may serve as a certificateof enrollment, and may be digitally signed by trusted entities (banks,government institutions, etc.) so as to provide greater validationchecks. The electronic identity may be stored on the user's mobiledevice, and may be sent to a processing server computer to authenticatethe user during an interaction with a resource provider. Theauthentication process may further comprise taking a second sample of auser's biometric to generate a derivative of a second biometric templatethat may be compared to the derivative generated during enrollment. Themethod provided can be more secure than other biometric authenticationsystems, in that a user's biometric template is derived so as to concealthe nature of data stored therein. Furthermore, the validity of thebiometric template is also dependent on the validity of the electronicidentity, as determined by the verification of digital signaturesappended to a record on a blockchain. Thus, embodiments of the inventionprovide a method of authentication that is both more secure and moreconvenient than other means of proving one's identity.

FIG. 3 shows a block diagram of a processing server computer forimplementing biometric authentication. Processing server computer 300shown may be processing server computer 150 of FIG. 1. Processing servercomputer 300 may comprise a processor 310 for executing instructions,and a network interface 320 for communicating over a network. Processingserver computer 300 may further comprise a computer readable medium 330.Computer readable medium 330 may be a memory storing executableinstructions in the form of code. Computer readable medium 330 maycomprise modules of code that may be executed by processor 310 such ascommunication module 330A, mapping module 330B, authentication datastorage module 330C, signing module 330D, block writing module 330E,authentication request module 330F, data lookup module 330G, derivativecomparison module 330H, signature validation module 330I, andauthentication response module 330J. Processor server computer 330 mayfurther be coupled to one or more databases such as eID mapping database300A, authentication data database 300B, and public blockchain 300C.

EID mapping database 300A may be a database in which electronicidentities are linked to user data. In embodiments, the user data mayinclude a derivative of a biometric template of the user. Duringenrollment of a user into a biometric authentication program, processingserver computer 300A may receive an identity request message comprisingan electronic identity and a derivative of a biometric template of theuser. Processing server computer 300A may then link the electronicidentity to the derivative of the biometric template of the user in amapping table (i.e. lookup table) of eID mapping database 300A, whichmay later be queried during authentication of the user. For example, eIDmapping database 300A may be a relational database in which electronicidentities in a column are each linked in a row to one or moreidentifiers for one or more derivatives of biometric templates. Asexplained above, an electronic identity may be a hash that ismathematically derived from information associated with a user.

A derivative of a biometric template may also be represented as astring, such as a string of altered pixel values for an image (e.g. “255232 45 678 56 23 . . . 345 76 44 767 433 345”). In one embodiment, anidentifier for the derivative of the biometric template may be stored ineID mapping database, rather than the derivative of the biometrictemplate itself. Meanwhile, the derivative itself may be stored inauthentication data database 300B. For example, a derivative may beidentified by a derivative identifier, ‘derivative #129578190,’ whichmay be referenced by an authentication server to query for and retrievethe derivative from authentication data database 300B.

Authentication data database 300B may be a database in which userauthentication data may be stored. In embodiments, the userauthentication data may comprise a derivative of a biometric template ofa user. In one embodiment, authentication data database 300B may beaccessible by processing server computer 300, by way of anauthentication server. For example, processing server computer 300 maysend a request for authentication data to the authentication server,which may retrieve the authentication data from authentication datadatabase 300B. The request may comprise an identifier for theauthentication data, such as a derivative ID identifying a derivative ofa biometric template of a user (e.g. ‘derivative #129578190’).

Public blockchain 300C may be a distributed database in which immutablerecords are stored and chained together. In one embodiment, theimmutable records may comprise records for the certification of anelectronic identity into a biometric authentication program. Theimmutable records may further be verifiable through a distributedverification network, in which records may be validated by trustedentities. The trusted entities may validate an immutable record bycomparing digital signatures appended to the record using public keys ofthe signing entities. For example, a server computer of a paymentprocessing network may validate a record by inputting the record and apublic key of a bank that allegedly notarized the record into averification algorithm, and then checking if the output matches expectedresults.

As explained above, processing server computer 300 may comprise aplurality of software modules, which may comprise instructions forexecuting tasks according to embodiments. Communication module 330A maycomprise instructions for sending, receiving, and reformatting messages.The messages may be sent and received by processing server computer 300over network interface 320. For example, processing server computer 300may receive identity request messages and authentication requestmessages, and may send identity response messages and authenticationmessages over network interface 320.

Mapping module 330B may comprise instructions for mapping electronicidentities to user data. The user data may include a derivative of abiometric template of a user. According to embodiments, a verificationserver may generate an electronic identity (eID) for a user uponverification of an account identifier of the user. The verificationserver may forward an identity request message comprising the eID and aderivative of a biometric template of the user to processing servercomputer 300. Mapping module 330B may comprise instructions foridentifying data fields in an identity request message allocated for aneID and for a derivative. Mapping module 330B may further compriseinstructions for reading the data fields, and storing data of the fields(or identifiers thereof) in a database. For example, the electronicidentity and a derivative identifier may be stored in eID mappingdatabase 300A, where they may be linked to each other in a mappingtable. In one example, the processing server computer may store in a rowof a relational database, an electronic identity for:754WD2E2513BF546050C2D079FF5D65AB6E318E along with an identifier for aderivative of a biometric template, such as: ‘derivative #129578190.’ Inanother embodiment, the electronic identity may further be linked to anidentifier for a record of the eID and derivative being linked, such asa transaction ID or certificate ID, which may be used to identify therecord on public blockchain 300C.

Authentication data storage module 330C may comprise instructions forstoring user authentication data in a database. According toembodiments, the authentication data may comprise a derivative of abiometric template of a user. In one embodiment, authentication datastorage module 330C may comprise instructions for attaching anidentifier to the derivative of the biometric template of the user, andmay further comprise instructions for sending the derivative to anauthentication server. The authentication server may store thederivative in authentication data database 300B along with itsidentifier, so that it may be identified and retrieved at a later time.

Signing module 330D may comprise instructions for signing a record usinga private key. According to embodiments, records may be signed bytrusted entities in a distributed verification network according to adigital signature algorithm. Processing server computer 300 may be anode of the distributed verification network, and signing module 330Dmay comprise code instructing processor 310 to sign a received recordusing its private key, in conjunction with the digital signaturealgorithm.

Block writing module 330E may comprise instructions for initiating ofwriting data to public blockchain 300C. According to embodiments, publicblockchain 300C may be used to store records relating to the enrollmentof a user into a biometric authentication program. Each record maycomprise an indication of an electronic identity and a derivative of abiometric template of a user being linked. Each record may furthercomprise one or more digital signatures of trusted entities. In oneembodiment, processing server computer 300 may initiate the publishingof records to public blockchain 300C by broadcasting a new data block.For example, block writing module 330E may comprise code instructingprocessor 310 to generate a new data block for a record. Block writingmodule 330E may further comprise instructions for broadcasting the newdata block to public blockchain 300C so that a node of a distributednetwork storing copies of public blockchain 300C may publish the newdata block. The method for writing to a public blockchain may varyaccording to the method of consensus established for the blockchain.Example methods of consensus governing the writing of blocks in ablockchain may include proof-of-work, proof-of-stake, proof-of-space,proof-of-authority, etc.

Authentication request module 330F may comprise instructions fordecoding data received in an authentication request message. Accordingto embodiments, an authentication request message may be received byprocessing server computer 300 from a resource provider computer so thatprocessing server computer 300 may authenticate a user. In oneembodiment, the authentication request message may comprise anelectronic identity and derivative of a biometric template of the user.The electronic identity and the derivative may be included together inthe authentication request message (e.g. as an appended string), andauthentication request module 330F may comprise instructions fordecoupling the electronic identity and derivative. Authenticationrequest module 330F may comprise instructions for processor 310 toidentify one or more data fields allocated for the electronic identityand derivative, read the one or more data fields, and to declarevariables to which the electronic identity and derivative should beassigned. For example, processor 310 may determine that the first 30characters of an appended string should be assigned and allocated as anelectronic identity, and that the remaining 100 characters are assignedand allocated as a derivative.

Data lookup module 330G may comprise instructions for looking up data ina database, such as eID mapping database 300A. According to embodiments,when an authentication request message is received by processing servercomputer 300, processing server computer 300 may identify an electronicidentity received in the message, and may determine a derivative of abiometric template linked to the electronic identity. The derivativelinked to the electronic identity may be linked in eID mapping database300A, and data lookup module 330G may comprise instructions for queryingeID mapping database 300A for the electronic identity and any datalinked to it. For example, eID mapping database 300A may be a relationaldatabase, and data lookup module 330G may include instructions forretrieving a row of data in the relational database that comprises anelectronic identity received in an authentication request message. Therow of data may further comprise an identifier for a derivative of abiometric template of a user (e.g. ‘derivative #129578190’).

Derivative comparison module 330H may comprise instructions forcomparing derivatives for a first and second biometric template.According to some embodiments, a derivative of a first biometrictemplate stored during enrollment may be compared to a derivative of asecond biometric template to authenticate a user. In one embodiment, twoderivatives may be considered a match if a predetermined number of dataelements of the derivatives match. For example, derivatives of featuredata for a user's fingerprint may be expressed as a string of charactersrepresenting a sequence of values. The sequence of values may be valuesfor biometric template data that have been mathematically derived. Amatch may be determined by comparing each corresponding charactersbetween two strings and determining if a predetermined number ofcharacters match. In another example, a derivative of a sample of auser's face may be represented as a matrix of altered pixel values. Amatch may be determined by comparing each corresponding matrix elementbetween two matrices and determining if a predetermined number ofelements match. In other examples, a derivative may be expressed as aseries of bits, bytes in an array, etc. Derivative comparison module330H may comprise instructions for comparing data elements of twoderivatives and determining a match if the data elements match within apredetermined threshold (e.g. at least 90% of characters matchingbetween two strings). In some embodiments, the derivatives of thebiometric templates can be compared by using less data than the entirebiometric template, and the comparison process can use a “zero-knowledgeproof” protocol in some embodiments.

Signature validation module 330I may comprise instructions forvalidating one or more digital signatures using one or more public keys.According to embodiments, during authentication, a record on publicblockchain 300C may be searched and may comprise one or more digitalsignatures. In one embodiment, signature validation module 330I maycomprise code instructing processing server computer 300 to validate theone or more signatures according to a digital signature algorithm (DSA).The code may comprise instructions for retrieving or obtaining one ormore public keys of the signing entities, and verifying the one or moredigital signatures with the one or more public keys, in conjunction witha verification algorithm. For example, the signing entities may includebanks and governments, whom may allow access to their public keys in adistributed verification network. The public keys may be retrieved byprocessing server computer 300 and used to determine if the digitalsignatures appended to a record are valid.

Authentication response module 330J may comprise instructions forgenerating an authentication response comprising an authenticationresult. According to some embodiments, a user may be authenticatedduring an interaction upon the determination of a positiveauthentication result (i.e. user credentials determined to beauthentic). In one embodiment, processing server computer 300 maydetermine an authentication result based on both the comparison ofderivatives for a first and second biometric template of a user andbased on the validity of an electronic identity. The comparison ofderivatives may be determined using instructions from derivativecomparison module 330H and the validity of the electronic identity (eID)may be based on the validation of one or more digital signaturesappended to a record relating to the eID. Authentication response module330J may comprise code for determining the authentication result, andfor inserting the authentication result into an authentication responsemessage. For example, authentication response module 330J may compriseinstructions for generating a positive authentication result if a matchoccurs between compared derivatives and if an electronic identity isdetermined to be valid. Authentication response module 330J may furthercomprise code for inserting the positive authentication result in anauthentication response message. The authentication response messagecomprising the authentication result may be then be sent to a resourceprovider computer and forwarded to a user device to authenticate theuser of the device (e.g. for the purpose of gaining access to anetwork).

According to some embodiments of the invention, processing servercomputer 300 may process data to implement biometric authentication forusers. The users may enroll into a biometric authentication programusing a user device. The user device may be used to generate aderivative of a first biometric template of a user, and to request anelectronic identity that may be certified in a record published topublic blockchain 300C. The user device may store the user's electronicidentity for later use in an interaction. During an interaction, theuser device may generate a derivative of a second biometric template ofthe user, which may be sent to processing server computer 300.Processing server computer 300 may then authenticate the user based onthe comparison of derivatives for the first and second biometrictemplate of the user, and based on the validity of the electronicidentity generated for the user.

FIG. 4 shows a block diagram of a user device for implementing biometricauthentication. User device 410 may be mobile device 110 of FIG. 1. Userdevice 410 may comprise memory 411. Memory 411 may store data, such asdata for one or more applications. The one or more applications mayinclude authentication application 412 and resource provider application420. User device 410 may further comprise biometric reader 414 forreading biometric samples of a user and biometric interface 413 fortransmitting data between biometric reader 414 and an application of theuser device. Examples of biometric reader 414 may include a fingerprintreader, a front-facing camera, a microphone, etc. User device 410 mayfurther comprise communications element 415 for allowing communicationsbetween user device 410 and other devices, such as through wirelesscommunications (e.g. via antenna 419).

In addition, user device 410 may also comprise data input/output 416 forreceiving inputs from a user. For example, data input/output 416 may bean input element of a touchscreen from which display icons may beselected, and from which a virtual keyboard may be displayed to receiveuser commands. User device 410 may also comprise display 417 fordisplaying data to a user and processor 418 for processing data andexecuting instructions to complete tasks.

According to embodiments, a user may enroll into a biometricauthentication program for proving his or her identity in an interactionwith a resource provider. The interaction, may be, for example, atransaction with a merchant or a login attempt into a network. A usermay enroll via authentication application 412, which may connect theuser to one or more server computers over a network. Authenticationapplication 412 may be used to derive a biometric template of the usertaken from biometric interface 413 and biometric reader 414, which maybe linked by one of the server computers to an electronic identity (eID)generated for the user. The eID may be stored on user device 410, andduring an interaction, user device 410 may send the eID and a derivativeof a second biometric template (e.g. via communications element 415 andantenna 419) to the server computer for authentication. Anauthentication result may be determined based on the comparison of thederivative of the second biometric template to the derivative of thefirst biometric template recorded during enrollment, and based on thevalidity of the electronic identity. User device 410 may then receivethe authentication result, indicating if the user's identity has beensuccessfully proven.

A number technical advantages are provided by the described embodimentsover prior art. Embodiments of the invention allow a user to identifyhis or herself in an interaction using his or her mobile device. Thiseliminates the need to carry around physical identification cards, whichmay be inconvenient for users. According to embodiments, a user maysimply identify his or herself using a biometric (e.g. by taking acurrent picture of his or her face, or by reading his or herfingerprint). Furthermore, embodiments of the invention are more securethan other biometric authentication methods previously conceived. Forexample, a user's biometric data is derived rather than sent in theclear, yet may still be verified without revealing a user's originalbiometric. In addition, embodiments of the invention subject the use ofa user's biometric data to numerous validation checks involving digitalsignatures of trusted parties and immutable records. This may prevent acriminal actor from successfully using fake or stolen identities in theauthentication system. In terms of the distributed nature of theidentity verification and biometric authentication servers, embodimentsof the invention provide APIs that allow for compatibility with aplurality of verification entities, thus allowing for ease of performingvalidation checks and providing greater security as needed.

Any of the computer systems mentioned herein may utilize any suitablenumber of subsystems. In some embodiments, a computer system includes asingle computer apparatus, where the subsystems can be the components ofthe computer apparatus. In other embodiments, a computer system caninclude multiple computer apparatuses, each being a subsystem, withinternal components.

A computer system can include a plurality of the same components orsubsystems, e.g., connected together by an external interface. In someembodiments, computer systems, subsystem, or apparatuses can communicateover a network. In such instances, one computer can be considered aclient and another computer a server. A client and a server can eachinclude multiple systems, subsystems, or components, mentioned herein.

The specific details of particular embodiments may be combined in anysuitable manner without departing from the spirit and scope ofembodiments of the invention. However, other embodiments of theinvention may be directed to specific embodiments relating to eachindividual aspect, or specific combinations of these individual aspects.

It should be understood that the present invention as described abovecan be implemented in the form of control logic using hardware and/orusing computer software in a modular or integrated manner. Based on thedisclosure and teachings provided herein, a person of ordinary skill inthe art will know and appreciate other ways and/or methods to implementthe present invention using hardware and a combination of hardware andsoftware

Any of the software components or functions described in thisapplication, may be implemented as software code to be executed by aprocessor using any suitable computer language such as, for example,Java, C++ or Perl using, for example, conventional or object-orientedtechniques. The software code may be stored as a series of instructions,or commands on a computer readable medium for storage and/ortransmission, suitable media include random access memory (RAM), a readonly memory (ROM), a magnetic medium such as a hard-drive or a floppydisk, or an optical medium such as a compact disk (CD) or DVD (digitalversatile disk), flash memory, and the like. The computer readablemedium may be any combination of such storage or transmission devices.

Such programs may also be encoded and transmitted using carrier signalsadapted for transmission via wired, optical, and/or wireless networksconforming to a variety of protocols, including the Internet. As such, acomputer readable medium according to an embodiment of the presentinvention may be created using a data signal encoded with such programs.Computer readable media encoded with the program code may be packagedwith a compatible device or provided separately from other devices(e.g., via Internet download). Any such computer readable medium mayreside on or within a single computer program product (e.g. a harddrive, a CD, or an entire computer system), and may be present on orwithin different computer program products within a system or network. Acomputer system may include a monitor, printer, or other suitabledisplay for providing any of the results mentioned herein to a user.

The above description of exemplary embodiments of the invention has beenpresented for the purposes of illustration and description. It is notintended to be exhaustive or to limit the invention to the precise formdescribed, and many modifications and variations are possible in lightof the teaching above. The embodiments were chosen and described inorder to best explain the principles of the invention and its practicalapplications to thereby enable others skilled in the art to best utilizethe invention in various embodiments and with various modifications asare suited to the particular use contemplated.

1. A method comprising: receiving, by a user device, a second biometric template of a user; providing, by the user device, an authentication request message comprising an electronic identity and a derivative of the second biometric template of the user to a resource provider computer to conduct an interaction, the authentication request being forwarded to a processing server computer by the resource provider computer; and receiving, by the user device, an authentication response message comprising an authentication result from the processing server computer, wherein the authentication result is determined by the processing server computer based on a comparison of the derivative of the second biometric template to a derivative of a first biometric template accessible to the processing server computer, and wherein the authentication result is also based on a validity of the electronic identity.
 2. The method of claim 1, further comprising: receiving, by the user device, the first biometric template of the user; generating, by the user device, the derivative of the first biometric template; generating, by the user device, an identity request message for an electronic identity for the user, the identity request message comprising the derivative of the first biometric template and an account identifier of the user; sending, by the user device, the identity request message to a verification server, wherein the verification server verifies the account identifier and generates the electronic identity, and wherein the electronic identity is linked to the derivative of the first biometric template in a database by the processing server computer; receiving, by the user device, an identity response message comprising the electronic identity; and storing, by the user device, the electronic identity in a memory of the user device for later use in an interaction.
 3. The method of claim 2, wherein the processing server computer initiates publishing of a record to a blockchain, the record comprising a record of the electronic identity and the derivative of the first biometric template of the user being linked.
 4. The method of claim 3, wherein the validity of the electronic identity is based at least upon the record published on the blockchain of the electronic identity and the derivative of the first biometric template of the user being linked.
 5. (canceled)
 6. (canceled)
 7. The method of claim 2, wherein the derivative of the first biometric template and the derivative of the second biometric template are derived from the first biometric template and second biometric template of the user respectively by passing the first and second biometric template through an algorithm.
 8. The method of claim 2, wherein the derivative of the first biometric is stored and retrieved by the processing server computer by communicating with an authentication server.
 9. A server computer comprising: a network interface; a processor; and a non-transitory computer-readable medium comprising code for instructing the processor to implement a method, the method comprising: receiving, by the server computer, an authentication request message comprising an electronic identity and a derivative of a second biometric template of a user of a user device; determining, by the server computer, a derivative of a first biometric template linked to the electronic identity; retrieving, by the server computer, the derivative of the first biometric template; comparing, by the server computer, the derivative of the first biometric template to the derivative of the second biometric template; and determining, by the server computer, an authentication result based at least upon the comparing of the derivative of the first biometric template to the derivative of the second biometric template and at least upon a validity of the electronic identity.
 10. The server computer of claim 9, wherein the method further comprises: receiving, by the server computer, an identity request message comprising the derivative of the first biometric template and the electronic identity, wherein the electronic identity is received from a verification server after the verification server verifies an account identifier of the user; linking, by the server computer, the derivative of the first biometric template and the electronic identity in a mapping table; storing, by the server computer, the derivative of the first biometric template in a database; and generating, by the server computer, an identity response message comprising the electronic identity, wherein the identity response message is received by the user device, and wherein the user device stores the electronic identity in a memory of the user device for later use in an interaction.
 11. The server computer of claim 10, wherein the method further comprises: initiating, by the server computer, publishing of a record to a blockchain, the record comprising a record of the electronic identity and the derivative of the first biometric template being linked.
 12. The server computer of claim 11, wherein determining the authentication result based at least upon the validity of the electronic identity comprises: comparing, by the server computer, the electronic identity to a record on the blockchain of the electronic identity and the derivative of the first biometric template being linked; and validating, by the server computer, the electronic identity if the electronic identity matches the record published on the blockchain.
 13. (canceled)
 14. (canceled)
 15. The server computer of claim 10, wherein the derivative of the first biometric template and derivative of the second biometric template are derived from the first biometric template and second biometric template of the user respectively by passing the first and second biometric template through an algorithm.
 16. The server computer of claim 10, wherein storing the derivative of the first biometric template in a database comprises: sending, by the server computer, the derivative of the first biometric template to an authentication server, wherein the authentication server stores the derivative of the first biometric template in the database, and wherein retrieving the derivative of the first biometric template comprises sending a request to the authentication server.
 17. A resource provider computer comprising: a network interface; a processor; and a non-transitory computer-readable medium comprising code for instructing the processor to implement a method, the method comprising: receiving, by the resource provider computer, an authentication request message from a user device of a user, the authentication request message comprising an electronic identity and a derivative of a second biometric template of the user; sending, by the resource provider computer, the authentication request message to a processing server computer, the processing server computer determining an authentication result based at least upon a comparison of the derivative of the second biometric template to a derivative of a first biometric template and based at least upon a validity of the electronic identity; receiving, by the resource provider computer, from the processing server computer, an authentication response message comprising the authentication result; sending, by the resource provider computer, the authentication response message to the user device; and authenticating, by the resource provider computer, the user if the authentication result indicates that the derivative of the second biometric template and the derivative of the first biometric template match, and if the authentication result indicates that the electronic identity is valid, wherein the electronic identity is generated by a verification server upon verification of an account identifier of the user.
 18. The resource provider computer of claim 17, wherein the validity of the electronic identity is based at least upon a record published on a blockchain of the electronic identity and the derivative of the first biometric template being linked.
 19. (canceled)
 20. (canceled) 